Content: Blog

2.3.5 Security release

We just issued a security release for django CMS 2.3. All versions are affected and users are encouraged to upgrade immediately.

The security issue fixed in this release allowed users with limited admin access to elevate their privileges through XSS injection using the page_attribute template tag. Only users with admin access and the permission to edit at least one django CMS page object could exploit this vulnerability. Websites that do not use the page_attribute template tag are not affected.

Full list of changes in this release

Output of page_attribute template tag is escaped.

Affected versions

All versions are affected

Affected APIs

The vulnerability is in the page_attribute template tag. Only websites using this template tag are vulnerable.

General note regarding security reporting

Please report any potential security issues via private email to [email protected], and not via a public channel such as our IRC channel, our mailinglists or our bug tracker.